Commit Graph

2860 Commits

Author SHA1 Message Date
Chris PeBenito e9eec95de4 devices: Module version bump. 2018-07-15 16:56:51 -04:00
Jagannathan Raman ce4fe74fe3 vhost: Add /dev/vhost-scsi device of type vhost_device_t.
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
2018-07-15 16:43:45 -04:00
Chris PeBenito d301e83161 mozilla, devices, selinux, xserver, init, iptables: Module version bump. 2018-07-10 20:11:40 -04:00
Jason Zaman 6bf506ec68 iptables: fcontexts for 1.8.0
The binary changed from /sbin/xtables-multi to xtables-legacy-multi and
xtables-nft-multi
2018-07-10 17:25:11 -04:00
Jason Zaman d53047dc58 Allow map xserver_misc_device_t for nvidia driver 2018-07-10 17:25:11 -04:00
Jason Zaman 871d47888b xserver: label .cache/fontconfig as user_fonts_cache_t 2018-07-10 17:25:11 -04:00
Jason Zaman 3c4f0dfaae mozilla: xdg updates 2018-07-10 17:25:11 -04:00
Jason Zaman 181298ab8b selinux: compute_access_vector requires creating netlink_selinux_sockets 2018-07-10 17:25:11 -04:00
Chris PeBenito 65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito 87b0512036 xdg, xserver, mplayer, games: Module version bump. 2018-06-24 20:32:02 -04:00
Jason Zaman 452c100212 apps: rw mesa_shader_cache 2018-06-24 19:11:14 -04:00
Jason Zaman 6f32775885 xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ 2018-06-24 19:11:14 -04:00
Jason Zaman 5b85f31124 xdg: Introduce xdg_search_cache_dirs 2018-06-24 19:11:14 -04:00
Jason Zaman 49a5d06120 xdg: filetrans should not add filetrans from user_home_dir
SELinux 2.8 is stricter with duplicate filetrans and these rules cause
problems if a domain needs more than one xdg dir.

Domains should call xdg_generic_user_home_dir_filetrans_data directly if
needed.
2018-06-24 19:11:14 -04:00
Jason Zaman b9bbe78f9e xdg: Add map perms, also make lnk_file, dirs consistent 2018-06-24 19:11:14 -04:00
Chris PeBenito a6313231d6 sysnetwork: Module version bump. 2018-06-23 10:50:14 -04:00
Laurent Bigonville 66a0e1b8eb Label /etc/hosts.allow as net_conf_t
/etc/hosts.deny is labeled as net_conf_t so it makes sense to label
hosts.allow the same way

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2018-06-23 10:50:01 -04:00
Chris PeBenito 3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito 0f3132c795 Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 09:00:56 -04:00
Chris PeBenito afb14bd300 Remove refpolicy-contrib submodule. 2018-06-23 08:55:49 -04:00
Chris PeBenito 54f0118bc7 XDG: Module version bump. 2018-06-10 13:40:20 -04:00
Jason Zaman 8bb4fdfc29 userdom: remove filetrans from userdom_user_content_access_template 2018-06-10 13:23:58 -04:00
Sven Vermeulen b64a53494f tunable-managed user content access template
To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.

- The *_read_generic_user_content boolean will enable the application
  domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
  resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
  manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
  reosurces (those associated with the user_home_content_type attribute).

Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.

In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.

Changes since v2:
 - Fix typo in gen_require (had a closing : instead of ;)

Changes since v1:
 - Use in-line XML comment and tunable definition

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Sven Vermeulen d4dad1950d helper interfaces to read/manage all user content
To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:

- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content

Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute. This
is more than just user_home_t and the XDG types, so the use should not
be granted automatically.

As part of the larger XDG patch set, these interfaces are called through
the *_read_all_user_content and *_manage_all_user_content booleans which
are by default not enabled.

Changes since v2:
- Fix typo in pattern call

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Sven Vermeulen 442849be7f Allow X server users to manage all xdg resources
With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.

The necessary privileges are added to the xserver_role() interface, which is
in use by the unconfined user domain as well as the main other user domains
(like user, sysadm and staff).

The necessary file transitions for the directories are added as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Sven Vermeulen 0a4d55da7a freedesktop location support
Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).

Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.

The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
  here is xdg_cache_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
  xdg_data_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
  type here is xdg_config_t, which is generally at $HOME/.config

The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_t.

This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.

The second set of types are:
- User documents, with xdg_documents_t as the type. This is
  generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
  generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
  the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
  for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
  the ~/Videos location.

Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.

[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
Chris PeBenito e2bae7b65d corecommands: Module version bump. 2018-06-10 13:19:13 -04:00
Jason Zaman ece7bdc282 corecommands: adjust gcc fcontext to also work on musl 2018-06-10 13:05:57 -04:00
Chris PeBenito 0252046c95 systemd: Move lines. 2018-06-07 20:17:15 -04:00
Dave Sugar f4713393ae policy for systemd-hwdb
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete.  It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar 2408d45a3d policy for systemd-update-done
systemd-update-done needs to be able to create /etc/.updated and /var/.updated

Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun  6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun  6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun  6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun  6 13:11:58 localhost systemd: systemd-update-done.service failed.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar 664d932c0f systemd-resolved uses notify to indicate status
type=AVC msg=audit(1528207926.219:1609): avc:  denied  { write } for  pid=2689 comm="systemd-resolve" name="notify" dev="tmpfs" ino=6277 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1528208016.448:1702): avc:  denied  { sendto } for  pid=2689 comm="systemd-resolve" path="/run/systemd/notify" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar fd466a380e Allow systemd-resolved to connect to system dbusd
type=USER_AVC msg=audit(1527726267.150:134): pid=1170 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for service=org.freedesktop.resolve1 spid=1208 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar 0ddccc81ad Allow systemd_resolved to read systemd_networkd runtime files
type=AVC msg=audit(1527698299.999:144): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527698299.999:145): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698299.999:145): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698300.000:146): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527702014.276:183): avc:  denied  { search } for  pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527704163.181:152): avc:  denied  { open } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.181:153): avc:  denied  { getattr } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.604:173): avc:  denied  { read } for  pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:47 -04:00
Dave Sugar 1dd2e5aca4 Allow systemd-resolved to read sysctl
type=AVC msg=audit(1527698300.007:150): avc:  denied  { search } for  pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1527698300.007:150): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:150): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:151): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

type=AVC msg=audit(1527698300.006:148): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.006:148): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:149): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:47 -04:00
Chris PeBenito 6b0abaf880 init: Module version bump. 2018-05-02 17:22:52 -04:00
Jason Zaman 9219bde71e init: Add filetrans for /run/initctl
sysvinit 2.89 moved /dev/initctl to /run/initctl.

Reported-by: revel
2018-05-02 17:12:01 -04:00
Chris PeBenito c95e835170 sysnetwork: Module version bump. 2018-04-25 17:34:13 -04:00
Chris PeBenito 71b2ed038c sysnetwork: Move lines in sysnet_read_config(). 2018-04-25 17:33:51 -04:00
Jason Zaman 0ae2abab2e sysnetwork: put systemd_read_resolved_runtime in an ifdef
commit f865919872
(Interface to read /run/systemd/resolve/resolv.conf)
Added an interface to sysnet_read_config which requires the systemd
module loaded. Putting the interface in an optional_policy() is not
possible since sysnet_read_config is called from several tunables so
we use an ifdef.
2018-04-25 17:28:59 -04:00
Chris PeBenito ac9363d662 init, logging, sysnetwork, systemd, udev: Module version bump. 2018-04-17 20:20:27 -04:00
Dave Sugar f865919872 Interface to read /run/systemd/resolve/resolv.conf
With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.

type=AVC msg=audit(1523455881.596:214): avc:  denied  { search } for  pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc:  denied  { read } for  pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc:  denied  { open } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc:  denied  { getattr } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
Dave Sugar ceec13419f Fix problems booting with fips=1
Seeing the following problem when booting in enforcing with FIPS mode enabled.
Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13
Then seeing the system halt

Fixing the following denials:
[    4.492635] type=1400 audit(1523666552.903:4): avc:  denied  { search } for  pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.496621] type=1400 audit(1523666552.907:5): avc:  denied  { read } for  pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.499741] type=1400 audit(1523666552.910:6): avc:  denied  { open } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.502969] type=1400 audit(1523666552.914:7): avc:  denied  { getattr } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

[    4.950021] type=1400 audit(1523666553.360:8): avc:  denied  { search } for  pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.986551] type=1400 audit(1523666553.397:9): avc:  denied  { read } for  pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    5.028737] type=1400 audit(1523666553.439:10): avc:  denied  { open } for  pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

type=1400 audit(1512501270.176:3): avc:  denied  { search } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
Chris PeBenito 2c54bc4eaf Update contrib. 2018-04-12 19:11:36 -04:00
Chris PeBenito e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter 93238de580 Remove undeclared identifiers from xserver interface
The interface xserver_manage_xdm_spool_files() uses the undeclared type
xdm_spool_t. Removed statements referring to this type and marked the
interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
James Carter b8d528ea62 Remove undeclared identifiers from interfaces
These interfaces are not being called in the policy.

corenetwork.if.in:corenet_sctp_bind_generic_port(),
  corenet_dontaudit_sctp_bind_generic_port(), and
  corenet_sctp_connect_generic_port()
  Removed references to undeclared type ephemeral_port_t.

corenetwork.if.in:corenet_sctp_recvfrom_unlabeled()
  Removed references to undeclared type attribute corenet_unlabled_type.

devices.if:dev_read_printk()
  Removed references to undeclared type printk_device_t and marked
  interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
James Carter 90b214c004 Move use of user_devpts_t from terminal.fc to userdomain.fc
The type user_devpts_t is actually declared in userdomain.te and moving it
removes a dependency of the base module (which terminal is a part) on a
module.

Moved the file contexts to label slave pseudo terminals with the
user_devpts_t type from terminal.fc to userdomain.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
James Carter 6226181924 Move use of systemd_unit_t from systemd.fc to init.fc
The type systemd_unit_t is actually declared in init.te.

Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
James Carter d172b3b45d Move the use of initrc_var_run_t from files.fc to init.fc
The type initrc_var_run_t is actually declared in init.te and moving it
removes a dependency of the base module (which files is a part) on a
module.

Moved the file contexts to label motd for debian systems with the
initrc_var_run_t type from files.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00